popup

Report - stub.exe

Generic Malware Malicious Library UPX Malicious Packer PE File PE64 OS Processor Check
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.10.13 08:40 Machine s1_win7_x6403
Filename stub.exe
Type PE32+ executable (GUI) x86-64, for MS Windows
AI Score
4
 Behavior Score
6.6
ZERO API file : malware
VT API (file) 10 detected (malicious, moderate confidence, Artemis, Greedy, Znyonm, Detected, CLOUD, Outbreak)
md5 7267c31ceaa3b35c96494360402a4788
sha256 a7cf48b6108e96096026425b964905f2035427c2af97fca0618d5947515f25b2
ssdeep 98304:Yh0Af9saCDQeXNGUY1WpI1Hgj0hA7cQcPnkWDq0vH6ddW6TktuFfp39sqfMXGqh0:iV0DQKcLQcPnkWDq0vH6ddW6TktuFfpD
imphash ece4846704febbd2176fd563dfd00581
impfuzzy 96:jsHyzx3rXVqiWD5JSbI5Ckzav5fcg+PJtM6IWQws7:IHyNrEiWtgbI5CkzafWQn
  Network IP location

Signature (12cnts)

Level Description
danger Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)
watch Appends a known CryptoMix ransomware file extension to files that have been encrypted
watch Attempts to identify installed AV products by installation directory
watch Communicates with host for which no DNS query was performed
watch File has been identified by 10 AntiVirus engines on VirusTotal as malicious
watch Harvests credentials from local email clients
watch Harvests credentials from local FTP client softwares
notice Steals private information from local Internet browsers
notice Uses Windows utilities for basic Windows functionality
info Collects information to fingerprint the system (MachineGuid
info One or more processes crashed
info The executable contains unknown PE section names indicative of a packer (could be a false positive)

Rules (7cnts)

Level Name Description Collection
warning Generic_Malware_Zero Generic Malware binaries (upload)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (upload)
watch UPX_Zero UPX packed file binaries (upload)
info IsPE64 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (85cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
clysma.com
whois
Unknown clean
actmin.com
whois
Unknown clean
api.telegram.org
whois
GB Telegram Messenger Inc 149.154.167.220 clean
173.205.126.33
whois
US INMOTI-1 173.205.126.33 mailcious
61.200.81.21
whois
JP NTT-COMMUNICATIONS-2914 61.200.81.21 clean
35.231.13.148
whois
US GOOGLE 35.231.13.148 mailcious
95.174.22.233
whois
IT SEEWEB s.r.l. 95.174.22.233 mailcious
103.6.198.176
whois
MY Exa Bytes Network Sdn.Bhd. 103.6.198.176 clean
76.74.184.61
whois
CA COGECO-PEER1 76.74.184.61 mailcious
54.69.120.26
whois
US AMAZON-02 54.69.120.26 clean
207.211.30.242
whois
US MIMECAST 207.211.30.242 clean
194.143.194.23
whois
ES Redestel Networks S.L. 194.143.194.23 mailcious
3.33.130.190
whois
Unknown 3.33.130.190 phishing
195.128.140.29
whois
PL RBO Sp. z o. o. 195.128.140.29 mailcious
34.224.10.110
whois
US AMAZON-AES 34.224.10.110 mailcious
185.230.63.107
whois
US Wix.com Ltd. 185.230.63.107 phishing
86.105.245.69
whois
NL Transip B.V. 86.105.245.69 mailcious
52.194.155.172
whois
JP AMAZON-02 52.194.155.172 clean
164.132.175.106
whois
FR OVH SAS 164.132.175.106 mailcious
113.20.24.100
whois
AU Blue Packets Trust 113.20.24.100 clean
198.185.159.144
whois
US SQUARESPACE 198.185.159.144 mailcious
89.161.136.188
whois
PL home.pl S.A. 89.161.136.188 mailcious
164.92.82.47
whois
Unknown 164.92.82.47 clean
27.0.174.59
whois
Unknown 27.0.174.59 mailcious
79.96.32.254
whois
PL home.pl S.A. 79.96.32.254 mailcious
216.239.34.21
whois
US GOOGLE 216.239.34.21 mailcious
157.7.107.49
whois
JP GMO Internet,Inc 157.7.107.49 malware
124.150.141.167
whois
MY Acme Commerce Sdb Bhd, Malayia, Network 124.150.141.167 clean
15.197.142.173
whois
Unknown 15.197.142.173 mailcious
91.220.211.163
whois
RU LLC Gydrozo 91.220.211.163 mailcious
13.56.33.8
whois
US AMAZON-02 13.56.33.8 mailcious
104.21.6.168
whois
US CLOUDFLARENET 104.21.6.168 mailcious
202.59.4.2
whois
NU The IUSN Foundation 202.59.4.2 clean
49.12.155.123
whois
DE Hetzner Online GmbH 49.12.155.123 clean
3.33.243.145
whois
Unknown 3.33.243.145 clean
93.188.2.51
whois
SE Loopia AB 93.188.2.51 malware
13.248.169.48
whois
US AMAZON-02 13.248.169.48 mailcious
145.239.5.159
whois
FR OVH SAS 145.239.5.159 clean
216.46.129.162
whois
CA HURONTEL 216.46.129.162 clean
103.112.69.92
whois
CN Cloudie Limited 103.112.69.92 clean
156.251.140.23
whois
ZA CNSERVERS 156.251.140.23 clean
160.80.6.36
whois
IT Consortium GARR 160.80.6.36 clean
202.94.166.30
whois
TH DE-CORP 202.94.166.30 mailcious
76.223.54.146
whois
US AMAZON-02 76.223.54.146 clean
104.21.76.140
whois
US CLOUDFLARENET 104.21.76.140 clean
52.20.84.62
whois
US AMAZON-AES 52.20.84.62 mailcious
208.100.26.245
whois
US STEADFAST 208.100.26.245 phishing
110.173.135.226
whois
AU Digital Pacific Pty Ltd Australia 110.173.135.226 clean
76.223.35.103
whois
US AMAZON-02 76.223.35.103 mailcious
199.34.228.78
whois
US WEEBLY 199.34.228.78 mailcious
65.52.128.33
whois
NL MICROSOFT-CORP-MSN-AS-BLOCK 65.52.128.33 malware
104.21.46.148
whois
US CLOUDFLARENET 104.21.46.148 clean
79.96.161.192
whois
PL home.pl S.A. 79.96.161.192 clean
31.15.12.103
whois
CZ ACTIVE 24, s.r.o. 31.15.12.103 mailcious
89.161.163.246
whois
PL home.pl S.A. 89.161.163.246 mailcious
85.128.55.51
whois
PL Netia SA 85.128.55.51 mailcious
153.126.211.112
whois
JP SAKURA Internet Inc. 153.126.211.112 mailcious
205.149.134.32
whois
US CNIWEB 205.149.134.32 mailcious
62.122.170.171
whois
NL Serverel Inc. 62.122.170.171 clean
92.42.191.40
whois
CH Nine Internet Solutions AG 92.42.191.40 clean
46.242.238.60
whois
PL home.pl S.A. 46.242.238.60 mailcious
192.124.249.9
whois
US SUCURI-SEC 192.124.249.9 mailcious
35.214.171.193
whois
NL GOOGLE-2 35.214.171.193 clean
83.223.113.46
whois
GB Gyron Internet Ltd 83.223.113.46 mailcious
93.189.66.202
whois
CH Virtualtec Solutions AG 93.189.66.202 mailcious
75.2.70.75
whois
US AMAZON-02 75.2.70.75 mailcious
5.134.4.115
whois
BE Combell NV 5.134.4.115 mailcious
154.201.225.123
whois
US POWER LINE DATACENTER 154.201.225.123 clean
192.124.249.15
whois
US SUCURI-SEC 192.124.249.15 mailcious
198.49.23.145
whois
US SQUARESPACE 198.49.23.145 mailcious
192.124.249.13
whois
US SUCURI-SEC 192.124.249.13 mailcious
192.124.249.12
whois
US SUCURI-SEC 192.124.249.12 mailcious
91.201.52.102
whois
RU Internet-Pro LLC 91.201.52.102 clean
149.154.167.220
whois
GB Telegram Messenger Inc 149.154.167.220 clean
185.33.216.22
whois
DE RS Gesellschaft fuer Informationstechnik mbH & Co.KG 185.33.216.22 clean
3.64.163.50
whois
Unknown 3.64.163.50 mailcious
76.223.27.102
whois
US AMAZON-02 76.223.27.102 clean
211.1.226.67
whois
JP NTT SmartConnect Corporation 211.1.226.67 clean
77.72.4.226
whois
GB Krystal Hosting Ltd 77.72.4.226 mailcious
157.7.107.38
whois
JP GMO Internet,Inc 157.7.107.38 mailcious
195.201.246.38
whois
DE Hetzner Online GmbH 195.201.246.38 clean
178.249.70.75
whois
Unknown 178.249.70.75 mailcious
133.125.38.187
whois
JP SAKURA Internet Inc. 133.125.38.187 mailcious
177.73.143.59
whois
BR Conectel Telecomunicacoes e Informatica Ltda ME 177.73.143.59 clean
185.230.63.186
whois
US Wix.com Ltd. 185.230.63.186 mailcious

Suricata ids

ET HUNTING Telegram API Domain in DNS Lookup
ET INFO TLS Handshake Failure
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

PE API

IAT(Import Address Table) Library

ntdll.dll
 0x1404085c0 RtlCaptureContext
 0x1404085c8 RtlLookupFunctionEntry
 0x1404085d0 RtlUnwindEx
 0x1404085d8 NtCancelIoFileEx
 0x1404085e0 RtlVirtualUnwind
 0x1404085e8 NtReadFile
 0x1404085f0 NtWriteFile
 0x1404085f8 NtCreateFile
 0x140408600 RtlNtStatusToDosError
 0x140408608 NtDeviceIoControlFile
 0x140408610 RtlPcToFileHeader
kernel32.dll
 0x1404080b8 CreateEventW
 0x1404080c0 WaitForMultipleObjects
 0x1404080c8 GetOverlappedResult
 0x1404080d0 WaitForSingleObject
 0x1404080d8 GetExitCodeProcess
 0x1404080e0 GetSystemInfo
 0x1404080e8 GetComputerNameExW
 0x1404080f0 QueryPerformanceCounter
 0x1404080f8 QueryPerformanceFrequency
 0x140408100 AddVectoredExceptionHandler
 0x140408108 SetThreadStackGuarantee
 0x140408110 HeapReAlloc
 0x140408118 SwitchToThread
 0x140408120 GetConsoleOutputCP
 0x140408128 GetStringTypeW
 0x140408130 GetQueuedCompletionStatusEx
 0x140408138 CreateIoCompletionPort
 0x140408140 SetFileCompletionNotificationModes
 0x140408148 FindClose
 0x140408150 GetLastError
 0x140408158 DeleteFileW
 0x140408160 FindNextFileW
 0x140408168 CloseHandle
 0x140408170 ReleaseSRWLockExclusive
 0x140408178 AcquireSRWLockExclusive
 0x140408180 GetFileType
 0x140408188 PostQueuedCompletionStatus
 0x140408190 SetStdHandle
 0x140408198 SetEnvironmentVariableW
 0x1404081a0 GetCPInfo
 0x1404081a8 GetOEMCP
 0x1404081b0 GetACP
 0x1404081b8 IsValidCodePage
 0x1404081c0 HeapAlloc
 0x1404081c8 FindFirstFileExW
 0x1404081d0 GetProcessHeap
 0x1404081d8 HeapFree
 0x1404081e0 InitializeCriticalSectionAndSpinCount
 0x1404081e8 TlsAlloc
 0x1404081f0 LCMapStringW
 0x1404081f8 CompareStringW
 0x140408200 FlsFree
 0x140408208 FlsSetValue
 0x140408210 SleepConditionVariableSRW
 0x140408218 WakeConditionVariable
 0x140408220 WakeAllConditionVariable
 0x140408228 TlsGetValue
 0x140408230 FormatMessageW
 0x140408238 MoveFileExW
 0x140408240 LockFileEx
 0x140408248 UnlockFile
 0x140408250 Sleep
 0x140408258 FlsGetValue
 0x140408260 GetModuleHandleA
 0x140408268 GetProcAddress
 0x140408270 GetCurrentThread
 0x140408278 TryAcquireSRWLockExclusive
 0x140408280 GetStdHandle
 0x140408288 GetConsoleMode
 0x140408290 MultiByteToWideChar
 0x140408298 TlsSetValue
 0x1404082a0 SetLastError
 0x1404082a8 GetEnvironmentVariableW
 0x1404082b0 GetTempPathW
 0x1404082b8 CreateFileW
 0x1404082c0 GetFileInformationByHandle
 0x1404082c8 GetFileInformationByHandleEx
 0x1404082d0 GetFullPathNameW
 0x1404082d8 GetFinalPathNameByHandleW
 0x1404082e0 SetFilePointerEx
 0x1404082e8 GetModuleHandleW
 0x1404082f0 CreateDirectoryW
 0x1404082f8 FindFirstFileW
 0x140408300 FlsAlloc
 0x140408308 GetTimeZoneInformation
 0x140408310 GetCommandLineW
 0x140408318 GetCommandLineA
 0x140408320 GetEnvironmentStringsW
 0x140408328 FreeEnvironmentStringsW
 0x140408330 CompareStringOrdinal
 0x140408338 GetModuleFileNameW
 0x140408340 GetSystemDirectoryW
 0x140408348 GetWindowsDirectoryW
 0x140408350 CreateProcessW
 0x140408358 GetFileAttributesW
 0x140408360 GetCurrentProcess
 0x140408368 DuplicateHandle
 0x140408370 GetCurrentProcessId
 0x140408378 CreateThread
 0x140408380 SleepEx
 0x140408388 WriteFileEx
 0x140408390 ReadFileEx
 0x140408398 CancelIo
 0x1404083a0 ReadFile
 0x1404083a8 GetSystemTimeAsFileTime
 0x1404083b0 SetFileInformationByHandle
 0x1404083b8 CopyFileExW
 0x1404083c0 SetHandleInformation
 0x1404083c8 ExitProcess
 0x1404083d0 GetModuleHandleExW
 0x1404083d8 FreeLibraryAndExitThread
 0x1404083e0 TlsFree
 0x1404083e8 LoadLibraryExW
 0x1404083f0 FreeLibrary
 0x1404083f8 GetNativeSystemInfo
 0x140408400 FlushFileBuffers
 0x140408408 GetTickCount
 0x140408410 MapViewOfFile
 0x140408418 CreateFileMappingW
 0x140408420 FormatMessageA
 0x140408428 GetSystemTime
 0x140408430 WideCharToMultiByte
 0x140408438 SystemTimeToFileTime
 0x140408440 GetFileSize
 0x140408448 LocalFree
 0x140408450 HeapDestroy
 0x140408458 HeapCompact
 0x140408460 LoadLibraryW
 0x140408468 DeleteFileA
 0x140408470 WaitForSingleObjectEx
 0x140408478 LoadLibraryA
 0x140408480 CreateFileA
 0x140408488 FlushViewOfFile
 0x140408490 OutputDebugStringW
 0x140408498 GetFileAttributesExW
 0x1404084a0 GetFileAttributesA
 0x1404084a8 GetDiskFreeSpaceA
 0x1404084b0 GetTempPathA
 0x1404084b8 HeapSize
 0x1404084c0 HeapValidate
 0x1404084c8 UnmapViewOfFile
 0x1404084d0 CreateMutexW
 0x1404084d8 UnlockFileEx
 0x1404084e0 SetEndOfFile
 0x1404084e8 GetFullPathNameA
 0x1404084f0 SetFilePointer
 0x1404084f8 LockFile
 0x140408500 OutputDebugStringA
 0x140408508 GetDiskFreeSpaceW
 0x140408510 WriteFile
 0x140408518 HeapCreate
 0x140408520 AreFileApisANSI
 0x140408528 InitializeCriticalSection
 0x140408530 EnterCriticalSection
 0x140408538 LeaveCriticalSection
 0x140408540 TryEnterCriticalSection
 0x140408548 DeleteCriticalSection
 0x140408550 GetCurrentThreadId
 0x140408558 EncodePointer
 0x140408560 WriteConsoleW
 0x140408568 CreateNamedPipeW
 0x140408570 ExitThread
 0x140408578 GetStartupInfoW
 0x140408580 IsDebuggerPresent
 0x140408588 InitializeSListHead
 0x140408590 IsProcessorFeaturePresent
 0x140408598 UnhandledExceptionFilter
 0x1404085a0 SetUnhandledExceptionFilter
 0x1404085a8 TerminateProcess
 0x1404085b0 RaiseException
crypt.dll
 0x140408040 BCryptGenRandom
crypt32.dll
 0x140408050 CertGetCertificateChain
 0x140408058 CertFreeCertificateContext
 0x140408060 CertDuplicateCertificateChain
 0x140408068 CertEnumCertificatesInStore
 0x140408070 CertDuplicateStore
 0x140408078 CertDuplicateCertificateContext
 0x140408080 CertFreeCertificateChain
 0x140408088 CertVerifyCertificateChainPolicy
 0x140408090 CertOpenStore
 0x140408098 CryptUnprotectData
 0x1404080a0 CertAddCertificateContextToStore
 0x1404080a8 CertCloseStore
secur32.dll
 0x140408620 GetUserNameExW
 0x140408628 FreeContextBuffer
 0x140408630 DeleteSecurityContext
 0x140408638 FreeCredentialsHandle
 0x140408640 EncryptMessage
 0x140408648 ApplyControlToken
 0x140408650 AcceptSecurityContext
 0x140408658 AcquireCredentialsHandleA
 0x140408660 InitializeSecurityContextW
 0x140408668 QueryContextAttributesW
 0x140408670 DecryptMessage
advapi32.dll
 0x140408000 CredFree
 0x140408008 GetUserNameW
 0x140408010 SystemFunction036
 0x140408018 RegOpenKeyExW
 0x140408020 RegCloseKey
 0x140408028 RegQueryValueExW
 0x140408030 CredEnumerateA
ws2_32.dll
 0x140408680 WSAIoctl
 0x140408688 ioctlsocket
 0x140408690 WSASocketW
 0x140408698 connect
 0x1404086a0 getsockopt
 0x1404086a8 shutdown
 0x1404086b0 getaddrinfo
 0x1404086b8 freeaddrinfo
 0x1404086c0 WSAStartup
 0x1404086c8 setsockopt
 0x1404086d0 WSACleanup
 0x1404086d8 recv
 0x1404086e0 closesocket
 0x1404086e8 send
 0x1404086f0 getsockname
 0x1404086f8 WSAGetLastError
 0x140408700 getpeername
 0x140408708 WSASend
 0x140408710 ind

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure